SELinux adjustments for VirtualMin I have tried

Here is my simple lame attempt to get VirtualMin to play nice with SELinux on my RedHat 7 system.

I confess that I’m not that great at bash scripting … but it does work for me in my environment … its about 130 lines.

I’m hoping others may find it useful and perhaps can make it better, as well as give some ideas for possible inclusion in the base code.


#!/bin/bash

# set various SELinux file characteristics on two files for a new VirtualMin host to correct /var/log/messages errors like
#      httpd: AH00526: Syntax error on line 496 of /etc/httpd/conf/httpd.conf:
#      httpd: Wrapper /home/vlb99.local/fcgi-bin/php7.2.fcgi cannot be accessed: (13)Permission denied
#      setroubleshoot: SELinux is preventing httpd from getattr access on the file /home/vlb99.local/fcgi-bin/php7.2.fcgi
#      python: SELinux is preventing httpd from getattr access on the file /home/vlb99.local/fcgi-bin/php7.2.fcgi
#
# and only when a php file is actually accessed by apache will you see:  (referring to /home/vlb99.local/etc/php7.2/php.ini)
#      setroubleshoot: SELinux is preventing php-cgi from read access on the file php.ini
#      python: SELinux is preventing php-cgi from read access on the file php.ini
#
# General SELinux Note -- semanage custom policy items are stored in one or two config files in RedHat7:
# /etc/selinux/targeted/active/file_contexts.local
# /etc/selinux/targeted/contexts/files/file_contexts.local
#
# for the apache logs can do (only needed once at WebMin/VirtualMin install time)
# semanage fcontext -a -t httpd_log_t "/var/log/virtualmin(/.*)?"
# restorecon -v /var/log/virtualmin
# restorecon -v /var/log/virtualmin/*
#
#
# Install this routine by:   (from https://www.virtualmin.com/documentation/developer/prepost)
#
#    Login as  ... root
#    Go to System Settings -> Virtualmin Configuration.
#    Select the    Actions upon server and user creation     category.
#    In the    Command to run after making changes to a server     field, enter
#             the full path to the post-modification command ( /usr/local/bin/fixup-virtualhost-selinux.sh )
#    Click Save.
#
#    Make sure the script(s) are executable, or else Virtualmin will not be able to run them.
#
#



# 9-apr-2019, Verne.  WVNET
#
# 15-apr-2019, Verne.  add comments with chcon examples
#
# 18-apr-2019, Verne.  Generalize so VirtualMin can call it
#
# 23-apr-2019, v1.6    Verne.       Start versioning it ... this is v1.6
#      Store this script in /usr/local/bin as fixup-virtualhost-selinux.sh
# got ideas from
# https://superuser.com/questions/352289/bash-scripting-test-for-empty-directory
# https://stackoverflow.com/questions/12179633/make-shopt-change-local-to-function
# https://www.cloudmin.com/node/33492
# https://www.virtualmin.com/documentation/developer/prepost
#
# 24-apr-2019. v1.7    Verne.   add SLEEP and apache reload at the bottom as well as a SYSLOG message
#
# 24-apr-2019. v1.8    Verne.   use variable VIRTUALSERVER_HOME instead of assuming its /home/xxxxx
#
# 24-apr-2019. v1.9    Verne.   add SELinux comments
#
# 23-sep-2019  v1.10   Verne.   add install notes taken from https://www.virtualmin.com/documentation/developer/prepost
#
# 6-Nov-2019   v1.11   Verne.   run this routine for RESTORE_DOMAIN in addition to CREATE_DOMAIN
#

# proceed only if creating a new domain or restoring a backup
if [[ "$VIRTUALSERVER_ACTION" != "CREATE_DOMAIN" && "$VIRTUALSERVER_ACTION" != "RESTORE_DOMAIN" ]]; then
   exit
fi

our_dir=$VIRTUALSERVER_HOME

if [ ! -d $our_dir/fcgi-bin ]; then
   logger VirtualMin In the custom script $0 have error: directory $our_dir/fcgi-bin does not exist
   exit
fi

# save current settings, just to be safe
our_save_shopt=$(shopt -p nullglob dotglob)

# set what we need
shopt -s nullglob dotglob

# get a list of all .fcgi files there, in case there is more than one
our_fcgi_list=($our_dir/fcgi-bin/*.fcgi)

# set it back the way it was
eval "$our_save_shopt"

if [ ${#our_fcgi_list[@]} -ne 1 ]; then
   logger VirtualMin In the custom script $0 have error: failed to find exactly one file with a .fcgi suffix
   exit
fi

# so we have exactly one, get it
our_fcgi=${our_fcgi_list[0]}

# pull the filename aka prefix from it to use later
our_prefix=$(basename $our_fcgi .fcgi)

# Now look for the php.ini file
if [ ! -d $our_dir/etc ]; then
   logger VirtualMin In the custom script $0 have error: directory $our_dir/etc does not exist
   exit
fi

our_php=$our_dir/etc/$our_prefix/php.ini

if [ ! -e $our_php ]; then
   logger VirtualMin In the custom script $0 have error: the file $our_php does not exist
   exit
fi

# assuming we created the special SELinux setting at install time, reapply it just to be sure
restorecon /var/log/virtualmin/*

# modify the file directly instead of building a special SELinx setting and using restorecon
chattr -i $our_fcgi
chcon --type=httpd_sys_script_exec_t $our_fcgi
chattr +i $our_fcgi

# modify the file directly instead of building a special SELinx setting and using restorecon
chcon --type=etc_t $our_php
#

# Testing shows 6 seconds is long enough to let things settle down and have /var/log/messages entries make sense when reloading apache below
sleep 6s

# Reloading apache might not even be required, but do it for safety, and log that we are doing it
logger VirtualMin: In the custom script $0 have just done a SLEEP and now will reload Apache
systemctl reload httpd

exit


Verne

1 Like

Thanks for posting. SELinux has been on my radar for a long time, but even when it’s configured exactly right, it is extremely prone to confusing problems for users, so I’ve never felt confident enabling it by default. We get too many support requests as it is, if we tripled them overnight because SELinux broke everything out of the ordinary, I think I’d die.

Did you see my notes on the subject? https://github.com/virtualmin/Virtualmin-Config/issues/1

Seems like you’ve already sorted out your requirements, but if anybody else is interested in it, it may be helpful.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.